What Is Due diligence? Security Definition
On This Page
Quick Definition
Due diligence means doing your homework before you act. In IT, it involves carefully checking systems, contracts, or security measures to make sure everything is safe and compliant. It's like inspecting a used car before you buy it to avoid hidden problems. This process helps organizations avoid legal trouble and data breaches.
Commonly Confused With
Due care is the ongoing implementation and maintenance of security controls after a decision is made, while due diligence is the upfront investigation and evaluation before committing. Think of due care as maintaining your car regularly, while due diligence is checking the car before you buy it.
Performing a background check on a new hire is due diligence. Giving them security awareness training is due care.
Risk assessment is a specific process within due diligence that identifies, analyzes, and evaluates risks. Due diligence is a broader process that includes risk assessment but also covers legal reviews, policy checks, contract negotiations, and independent verification.
When evaluating a cloud vendor, running a vulnerability scan is part of risk assessment. But due diligence also includes reviewing their SOC 2 report and checking their data retention policy.
Vendor management is the full lifecycle of working with a vendor, from selection to termination. Due diligence is the initial evaluation and ongoing monitoring step within that lifecycle. Vendor management includes due diligence but also includes contract management, performance reviews, and exit strategies.
Creating a vendor inventory and negotiating SLAs is vendor management. Checking the vendor’s security certifications is due diligence.
A compliance audit is a formal, often third-party, verification against a standard or regulation. Due diligence can include reviewing compliance audit reports, but due diligence itself is a broader concept that also includes operational checks, technical testing, and risk analysis.
Reviewing a SOC 2 Type II report is a part of due diligence. The SOC 2 audit itself is a compliance audit.
Must Know for Exams
Due diligence is a recurring concept across multiple IT certification exams, including ISC2 CISSP, CompTIA Security+, and ISC2 CC. Each exam treats it with a slightly different emphasis, but the core idea remains the same: due diligence is the proactive process of identifying and managing risk before an event occurs.
In the CISSP exam, due diligence appears most prominently in Domain 1 (Security and Risk Management) under the topics of risk management, compliance, and legal and regulatory requirements. The exam expects you to understand that due diligence is the foundation of liability defense. If an organization can demonstrate that it performed reasonable due diligence, it can reduce or avoid legal culpability after a security incident. Question types often include scenario-based questions where you must decide whether a company acted with due diligence. For example, you might be given a story about a company that did not vet a third-party vendor before sharing sensitive data. The correct answer would identify the missing due diligence step.
In the Security+ exam, due diligence is often embedded in the Governance and Compliance objectives (Sy0-601 domain 2 and 3). You will see questions about vendor risk management, data governance policies, and security controls. The exam may ask you to identify the best next step in a vendor assessment process. You need to know that due diligence includes reviewing policies, performing audits, and checking certifications. The CompTIA Security+ exam also ties due diligence to concepts like risk assessment, business continuity, and incident response planning.
The ISC2 Certified in Cybersecurity (CC) exam covers due diligence as part of the Security Principles domain. It is a foundational concept that supports understanding of governance, compliance, and professional ethics. The CC exam is beginner-friendly, so questions may be more direct, such as asking you to define due diligence or identify an example of it.
Across all three exams, the common trap is confusing due diligence with due care. Due diligence is the investigative and evaluative process, while due care is the ongoing implementation of protective measures. Another exam trap is thinking that due diligence is only about technical controls, when in reality it also includes legal, procedural, and human factors. To score well, you need to be able to apply due diligence to realistic scenarios and distinguish it from related concepts like risk assessment, vendor management, and security audits.
Simple Meaning
Imagine you are thinking about buying a house. You would not just hand over your money and hope for the best. You would hire an inspector to check the roof, the foundation, the plumbing, and the electrical system. You would also look into the neighborhood, check for any liens on the property, and read the fine print in the contract. That whole process of careful checking before you commit is due diligence.
In the IT world, due diligence works the same way. It is the careful investigation and verification that happens before a company adopts new software, hires a cloud provider, or merges with another company. For example, if a company wants to move its customer data to a cloud service, due diligence means reading the service provider’s security policies, checking their data encryption standards, confirming they comply with laws like GDPR or HIPAA, and testing their incident response plan. The goal is to uncover any hidden risks that could lead to a data breach, legal penalty, or financial loss.
Due diligence is not a one-time event. It is an ongoing practice. Companies must continuously monitor their vendors, update their risk assessments, and review their own policies. If a new vulnerability is discovered in a software tool the company uses, due diligence requires them to quickly evaluate the risk and patch or replace the tool. In short, due diligence is about being thorough, proactive, and responsible. It protects the organization, its customers, and its reputation.
Full Technical Definition
Due diligence in IT security governance refers to the systematic process of evaluating and verifying the security posture, compliance status, and risk profile of an organization, vendor, or technology before entering into a relationship or making a significant change. It is a core principle of risk management and is explicitly required by many regulatory frameworks and standards, including ISO 27001, NIST SP 800-53, PCI DSS, and GDPR.
From a technical perspective, due diligence involves multiple layers of assessment. At the organizational level, it includes reviewing security policies, incident response plans, business continuity plans, and data classification schemes. At the technical level, it includes conducting vulnerability scans, penetration tests, and configuration audits. For example, when evaluating a cloud service provider, due diligence would require inspecting their data center certifications (like SOC 2 Type II), understanding their encryption in transit and at rest, reviewing their identity and access management (IAM) controls, and verifying their compliance with relevant standards.
The process typically follows a structured framework. First, the organization defines the scope and objectives of the due diligence review. Second, it gathers relevant documentation and evidence, such as security questionnaires, audit reports, and policy documents. Third, it performs independent verification, which may include technical testing, interviews with key personnel, and site visits. Fourth, the findings are analyzed against a risk tolerance baseline. Finally, a due diligence report is produced, summarizing risks, gaps, and recommendations. This report becomes a critical input for decision-making, contract negotiations, and risk acceptance.
In the context of mergers and acquisitions (M&A), due diligence is especially rigorous. The acquiring company must evaluate the target company’s software code for vulnerabilities, review its data storage practices, check for any history of breaches, and assess the security culture of the workforce. Failure to perform adequate due diligence can result in inheriting serious liabilities, such as lawsuits, regulatory fines, and reputational damage. For IT professionals, understanding due diligence is essential for passing certification exams and for performing their daily responsibilities in governance and risk management.
Real-Life Example
Think about buying a used car from a stranger online. You see a listing with nice photos and a low price. You feel excited, but you are also nervous. Before you hand over any money, you do some due diligence. You ask for the vehicle identification number (VIN) and run a history report to see if the car was in a major accident or has a salvage title. You take the car to a trusted mechanic who checks the engine, brakes, transmission, and rust. You test drive it on the highway and in city traffic. You also look up the seller’s reputation online and check if there are any complaints about them. All of these steps help you decide if the car is worth the money and if it is safe to drive.
Now map this to IT due diligence. The used car is like a new software vendor or a cloud service provider. The VIN history report is like a security audit report or a SOC 2 certification. The mechanic is like a security analyst performing a vulnerability assessment or penetration test. The test drive is like a proof-of-concept trial where the IT team tests the software in a sandbox environment. Checking the seller’s reputation is like reading customer reviews, checking the Better Business Bureau, or asking for references from other clients.
Just like you would not buy a car without checking it, you should not integrate a new technology partner without due diligence. If you skip the inspection, you might end up with a system that has hidden backdoors, poor encryption, or a history of data breaches. That could cost your company millions and destroy trust with customers. The car analogy makes it clear: due diligence is just common sense, applied to IT decisions.
Why This Term Matters
Due diligence matters because the cost of skipping it can be catastrophic. In the IT world, a single oversight can lead to a data breach that exposes millions of customer records, resulting in regulatory fines, lawsuits, and permanent reputation damage. For example, in 2013, Target suffered a massive breach because they did not perform sufficient due diligence on their HVAC vendor, which had weak network segmentation. That breach cost Target over $200 million. This real-world case shows that due diligence is not just a bureaucratic checkbox; it is a critical safeguard.
For IT professionals, due diligence is part of daily responsibility. When you choose a new firewall, you check its certifications and read independent reviews. When you approve a third-party API, you review its security documentation. When you migrate to the cloud, you run a risk assessment. These are all acts of due diligence. Organizations that embed due diligence into their culture experience fewer incidents and recover faster when something does go wrong.
From a legal and regulatory perspective, due diligence is often mandatory. Frameworks like PCI DSS require merchants to perform due diligence on service providers before processing credit card data. GDPR requires data controllers to ensure that data processors have adequate security measures. If a company fails to perform due diligence and a breach occurs, regulators can impose heavier fines because the company was negligent. In short, due diligence matters because it is the foundation of trust, compliance, and risk management in IT.
How It Appears in Exam Questions
Due diligence appears in exam questions primarily in scenario-based formats. You will not often see a straightforward definition question. Instead, the exam presents a situation and asks you to evaluate whether due diligence was performed or to recommend the next best step.
One common question pattern is the vendor assessment scenario. For example: A company plans to move customer data to a new cloud provider. What should the security team do first? The correct answers typically involve reviewing the provider’s SOC 2 report, checking their incident response plan, and verifying their encryption standards. Distractors might include jumping straight to signing the contract, assuming the provider is trustworthy, or only checking the price. These questions test your understanding that due diligence is a prerequisite to any significant IT decision.
Another pattern involves mergers and acquisitions. You might be told that Company A is acquiring Company B. Which of the following is a due diligence step that should be performed before the acquisition? Options could include reviewing Company B’s security policies, conducting a vulnerability scan on their network, checking their compliance with GDPR, and interviewing their CISO. The exam wants you to recognize that due diligence is thorough and multidimensional.
A third pattern is incident response. For example: After a data breach, an investigation reveals that the company did not review the security controls of a third-party vendor. This is an example of failure in which process? The answer: due diligence. This pattern reinforces that due diligence is not just about new relationships but also about ongoing oversight.
Finally, some questions ask you to distinguish due diligence from due care. For example: Which of the following best describes due diligence? Options might include implementing security controls, investigating risks before a decision, monitoring logs, or updating firewall rules. The correct choice is investigating risks before a decision. These differentiation questions are common because many learners confuse the two terms.
Practise Due diligence Questions
Test your understanding with exam-style practice questions.
Example Scenario
You work as a security analyst for a mid-sized healthcare company. Your company wants to use a new online service to send encrypted emails containing patient health information. The service costs very little and promises easy setup. The marketing manager is eager to start using it immediately. Before approving, your boss asks you to perform due diligence.
You begin by requesting the service provider’s security documentation. You ask for their SOC 2 Type II report, which shows whether they have independent audits of their security controls. They send you a report from last year, but you notice it does not cover data encryption at rest. You follow up and ask for more details about encryption. They explain that they use standard encryption, but they do not specify the algorithm. You also check their privacy policy and find that they store data on servers located in a country that does not have strong data protection laws. This raises a red flag because your company must comply with HIPAA, which requires that protected health information (PHI) be stored in the U.S. or in jurisdictions with equivalent protections.
You then search online for reviews and news about the service. You find several complaints from other healthcare companies about missing audit logs and slow incident response. You also call two references provided by the vendor. One reference mentions that the vendor experienced a ransomware attack six months ago and took three weeks to recover.
After gathering all this information, you compile a due diligence report. You identify high risks in data residency, encryption strength, and incident response readiness. You recommend that the company not use this vendor unless they address these issues. Your manager agrees. The company instead chooses a more established provider that has clear HIPAA compliance documentation and a strong track record. Thanks to your due diligence, the company avoids a potential data breach that could have led to fines, lawsuits, and loss of patient trust.
Common Mistakes
Thinking due diligence is only about technical controls like firewalls and encryption.
Due diligence also includes legal reviews, policy checks, vendor references, and compliance verification, not just technical testing.
Always consider the full picture: people, process, and technology. Ask about policies, audit reports, and regulatory compliance as well.
Confusing due diligence with due care.
Due diligence is the investigation and evaluation before a decision, while due care is the ongoing implementation of protective measures after the decision.
Remember that due diligence happens before you act, like checking the safety of a bridge before crossing. Due care is like maintaining the bridge after it is in use.
Believing due diligence is a one-time activity at the start of a relationship.
Risks change over time, so due diligence should be repeated periodically, especially if the vendor updates their product, changes ownership, or experiences a breach.
Schedule regular vendor reviews and re-assessments. Treat due diligence as an ongoing process, not a checkbox.
Assuming due diligence is only needed for external vendors and not for internal projects.
Internal projects, like deploying a new application or changing infrastructure, also require due diligence to avoid introducing vulnerabilities.
Apply the same rigorous evaluation to internal decisions. For example, before rolling out a new software update, test it in a staging environment and review the change management process.
Relying solely on vendor-provided documentation without independent verification.
Vendors may present biased or incomplete information. Independent verification, like third-party audits or proof-of-concept testing, is essential.
If possible, request independent audit reports like SOC 2 Type II, and conduct your own limited testing or site visit.
Skipping due diligence because the vendor is well-known or brand name.
Even large, reputable vendors can have security gaps or suffer breaches. Blind trust is not a security strategy.
Perform the same level of scrutiny regardless of the vendor’s size or reputation. Brand name does not replace verified evidence.
Exam Trap — Don't Get Fooled
{"trap":"In an exam question, you see a scenario where a company signs a contract with a cloud provider after receiving a marketing brochure that lists security features. The question asks: Did the company perform due diligence? Many learners answer 'yes' because the brochure mentioned encryption."
,"why_learners_choose_it":"Learners see the word 'encryption' and assume that is sufficient. They forget that due diligence requires independent verification and a deeper review of policies, audits, and on-site checks, not just vendor claims.","how_to_avoid_it":"Remember this rule: A vendor’s own documentation is not proof of due diligence.
Due diligence demands that you independently verify claims. Look for clues like 'SOC 2 report,' 'third-party audit,' 'penetration test results,' or 'site visit.' If the scenario only mentions reading a brochure, the correct answer is almost always that due diligence was not performed."
Step-by-Step Breakdown
Define Scope and Objectives
First, determine what you are evaluating and why. Is it a new vendor, a software purchase, or a merger? Document the key questions you need answered, such as compliance with regulations, data security, and financial stability. This step sets the boundaries of the due diligence effort.
Gather Information and Documentation
Request relevant documents from the entity being evaluated. This includes security policies, audit reports (like SOC 2), certifications (ISO 27001), incident response plans, data flow diagrams, and privacy policies. Also gather information from independent sources like industry reports, customer references, and news articles.
Perform Independent Verification
Do not rely solely on provided documentation. Conduct your own technical testing, such as vulnerability scans or penetration tests. Arrange site visits if possible. Interview key personnel like the CISO or IT manager. Verify certifications directly with the certifying body if needed.
Analyze Findings Against Risk Tolerance
Compare the collected evidence against your organization’s risk acceptance criteria. For each finding, assign a risk level (low, medium, high). Identify gaps where the entity does not meet your security or compliance requirements. Document any red flags, such as unresolved vulnerabilities, history of breaches, or weak legal protections.
Document and Report Results
Create a due diligence report that summarizes the scope, methodology, findings, and recommended actions. Include a clear risk rating and a list of conditions that must be met before proceeding. This report becomes the basis for decision-making and contract negotiations.
Make a Risk-Based Decision
Present the report to the relevant stakeholders, such as management, legal, and procurement. Based on the findings, decide whether to proceed, proceed with conditions, or reject the relationship. Document the decision and the rationale for audit purposes.
Establish Ongoing Monitoring
Due diligence does not end after the decision. Set up a schedule for periodic reviews, such as annual security assessments or quarterly compliance checks. Require the vendor to notify you of any significant changes or security incidents. This ensures that you continue to manage risk over time.
Practical Mini-Lesson
Due diligence is one of the most practical concepts you will learn in IT security because it is something you will use almost daily. Whether you are an IT manager, security analyst, or compliance officer, you will constantly be asked to evaluate new tools, vendors, or processes. Understanding how to perform due diligence effectively can save your organization from disaster.
In practice, due diligence starts with a clear plan. Do not jump into gathering documents without knowing what you are looking for. Begin by understanding the business context. Is the vendor handling sensitive data? What regulations apply? What is the potential impact if something goes wrong? Once you have the context, create a checklist tailored to the situation. For a cloud provider, your checklist might include data encryption, access controls, data residency, incident response, business continuity, and subcontractor management. For a software product, your checklist might include code quality, vulnerability history, patch cadence, and third-party dependencies.
Next, be systematic about gathering evidence. Use a vendor security questionnaire as a starting point. Popular frameworks like the SIG (Standard Information Gathering) questionnaire from the Shared Assessments Program can help. But do not stop there. Ask for proof. If a vendor claims to have encryption, ask for their encryption policy and the specific algorithms used. If they claim to be SOC 2 compliant, ask for a copy of the SOC 2 report and check the date. Look for gaps, scope limitations, or adverse findings in the report.
One area where professionals often struggle is interpreting audit reports. For example, a SOC 2 Type II report with a qualified opinion means the auditor found something that did not meet the criteria. That is a red flag. Similarly, a penetration test report that shows critical vulnerabilities is a serious concern. You must be able to read and understand these documents.
What can go wrong? The most common failure is time pressure. Business stakeholders often push for quick approvals, and security teams may feel pressured to cut corners. Do not give in. Document your concerns and escalate if necessary. Another common risk is over-reliance on certifications. A vendor might have an ISO 27001 certification but still have weak operational security because the certification only covers a specific scope. Always look at the scope statement.
Finally, remember that due diligence is not just about finding problems. It is also about recognizing when a vendor or technology is a good fit. A thorough due diligence process can give you the confidence to proceed, knowing that risks are understood and managed. In the long run, this builds trust between your organization and its partners.
Memory Tip
Due diligence: Investigate Before You Trust. The D in Due stands for 'Dig deep' before you decide.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
CISSPCISSP →SY0-701CompTIA Security+ →ISC2 CCISC2 CC →220-1102CompTIA A+ Core 2 →SC-900SC-900 →CDLGoogle CDL →Related Glossary Terms
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
Frequently Asked Questions
What is the difference between due diligence and due care?
Due diligence is the investigation and evaluation done before making a decision, like checking a vendor's security before signing a contract. Due care is the ongoing implementation of security measures after the decision, like regularly patching systems and training employees.
Is due diligence mandatory for IT security?
In many cases, yes. Regulations like GDPR, HIPAA, and PCI DSS require organizations to perform due diligence on vendors and third parties. Failing to do so can result in fines and legal liability.
Can due diligence be done quickly?
Due diligence takes time and should not be rushed. However, for low-risk situations, a streamlined process can be used. For high-risk scenarios, a thorough, multi-week review is recommended.
What documents are commonly reviewed during due diligence?
Common documents include SOC 2 reports, ISO 27001 certificates, penetration test reports, incident response plans, data flow diagrams, privacy policies, and business continuity plans.
Who is responsible for performing due diligence?
Typically, the security team leads the technical evaluation, while legal handles the contractual and regulatory aspects. Procurement and business owners are also involved to ensure alignment with business needs.
What happens if due diligence reveals serious issues?
The organization can choose to not proceed, renegotiate terms, require the vendor to fix issues before signing, or accept the risk with appropriate documentation. The decision should be made by management with input from security and legal.
Is due diligence only for external vendors?
No, it also applies to internal projects, such as deploying new software or changing infrastructure. It helps prevent introducing vulnerabilities into your own environment.
Summary
Due diligence is a fundamental concept in IT security governance that refers to the systematic process of investigating and evaluating risks before making a decision or entering into a relationship. It applies to vendor selection, software adoption, mergers and acquisitions, and even internal changes. The process includes defining scope, gathering information, performing independent verification, analyzing findings, documenting results, and establishing ongoing monitoring.
Why does it matter? Because skipping due diligence can lead to data breaches, regulatory fines, and loss of customer trust. Real-world examples like the Target breach show the high cost of negligence. In certification exams for CISSP, Security+, and ISC2 CC, due diligence appears in scenario-based questions that test your ability to identify when it was performed or missed. The most common trap is confusing due diligence with due care or assuming a vendor's marketing materials are sufficient evidence.
As an IT professional, mastering due diligence will make you a valuable asset to any organization. It is not just a checkbox; it is a mindset of thoroughness and responsibility. Always remember: investigate before you trust.